topic ASA 9.7(1) introduced PBKDF2 in Network Security

ASA5515X: md5 hash for local passwords

holger.weinel1 — Tue, 12 Mar 2019 09:22:49 GMT

Hi,

the CSO of our Company note that the Password localy saved in Firewall configuration are saved with a md5 hash.

Serveral sites at the Internet provide the possibility to decrypt passwords encrypted with those unsecure hashing algorithems.

Firmware: Cisco Adaptive Security Appliance Software Version 9.5(3)6

Hardware: ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC

I did find a hardeníng guide under

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html

This guide contains the following note:

"... ASA uses Message Digest 5 (MD5) for Password hashing."

Is there no possibilty to use secure hash algorithems such as SHA512 for Password hashes locally stored at the startup-config?

Kind regards

Holger Weinel

ASA 9.7(1) introduced PBKDF2

Marvin Rhoads — Wed, 17 May 2017 08:11:38 GMT

ASA 9.7(1) introduced PBKDF2 hashing for local passwords.

PBKDF2 hashing for all local username and enable passwords

Local username and enable passwords of all lengths are stored in the configuration using a PBKDF2 (Password-Based Key Derivation Function 2) hash. Previously, passwords 32 characters and shorter used the MD5-based hashing method. Already existing passwords continue to use the MD5-based hash unless you enter a new password. See the "Software and Configurations" chapter in the General Operations Configuration Guide for downgrading guidelines.

We modified the following commands: enable password, username

Reference: http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html

You should also be using centralized authentication (which prevents use of local credentials unless there is no access to your AAA server) and restricting management access to the ASA to trusted interfaces (so that any attack would have to come from an insider vs. any random script launched against your public IP).

Re: ASA 9.7(1) introduced PBKDF2

blukens07 — Wed, 06 Dec 2017 19:30:56 GMT

I am trying to find out what SHA type that the PBDKF2 hashing is using for local password storage on the ASA's. I want to make sure that its a high level of encryption. I don't see this discussed in any documents. Anyone?

Re: ASA5515X: md5 hash for local passwords

williopoulos@gmail.com — Wed, 03 Jun 2020 14:30:04 GMT

Dear Community,

Following on in this thread I am encountering an interesting problem:-

My newly created usernames have their passwords stored in the config as pbkdf2 passwords.

However, when I try to login via SSH using one of these new usernames I get "Access Denied" errors.

In troubleshooting this problem I have copied the username config from another device using the "encrypted" flag on the password.

When using this "encrypted" username and it's associated password all works fine.

Does anybody else have any experience with this type of behavior?

Thanks

Andrew